About Brandon_Wertz

I don't think there's a "better," more to do with which you can use...I played with the idea of using SNMP for "important" stuff and syslog for general logs, but in the end I just went with syslog. ... View more

In "Device" --> "Log Settings"  --> "System" and "Config" just use a configured Syslog profile to send have the desired logs sent to the configured syslog profile   --Edit-- The same can be said for SNMP. ... View more

I think I found the issue...I'm still waiting for a group policy change to propgate through my enviornment of >35k users, but I think this was the source of my problem:   The primary form of UIA attribution is from AD logs of some sort (passive)   The second form of authentication is UIA NTLM browser credential request (active – behind the sceens)   The third form is direct Captive Portal NTLM prompt (Active - if Transparent) or web page redirect (Active - if on Redirect mode).     The issue was with the second form it was basically non-existent for these reasons: http://clintboessen.blogspot.com.au/2013/09/ie-10-prompting-for-credentials-windows.html https://support.microsoft.com/en-us/kb/943280   As most of my users use laptops with an active wired and wireless Ethernet adapter their PCs have two IPs.  Given the passive attribution only works for a single given adapter the second browser NTLM credential request is really important to us to prevent a user pop-up.  This brings us to our issue.   The Windows environment sees Web requests coming from fully qualified domains as “Internet” sourced domains and as such does not pass credentials to those web pages unless specifically told to do so.  So in our case the Palo Alto internal VIP performing a NTLM credential request to a host browser isn’t working.   A necessary modification to the Windows environment is described in the above two URLs.  Adding the source of the NTLM request enables the windows client to successfully pass credentials to the firewall which allows the second non-intrusive form of authentication to be completed. ... View more

I'm kind of confused...   Your issue is that in your enviornment UIA isn't always providing user attribution for users logged into your domain?   And you're saying that the CP process isn't fully identifying the remaining users that have not been idenfited?  ... View more

We've had 12 hits since 1am...Most of which were .xls or .pdf   0 in the previous 3 days. ... View more

The firewall is a security tool.  We should be first asking what's important...What's critical to have.  It's annoying that everytime I'm on a TAC call I usually get the "you really shouldn't log on session start" comment.   The problem with not logging on session start is you're only notified when the session has ended (obvious.)  The problem with saying "only use it for troubleshooting" is how do you troubleshoot something in the past?   Say for instance an FTP session, that session could be open for minutes, hours, or even days.  You'd never be notified about that traffic until the session was closed.   Every one of my rules logs session start.  Over 20k user network and we generate about 3 million logs a day.  Our Panorama has 2TB of storage and we just shy of 2 months of on box retention. ... View more

Here's what the report looks like:     You can click each count and view specifics for each rule. ... View more

Not exactly certain what you're looking for, but you might want to look into a tool called FireMon.   The UI of this tool replicates other product enviornments.     FireMon has the ability to suggest rule combination changes.  Not only will it tell you when/last/how often a rule was used.  It gives you usage of objects within a specific rule.  (Something Palo UI won't do)   FireMon works with ASAs, CheckPoint, Palo...a wide varitey of platforms. ... View more

Not only that the "error" that pops up within IE basically doesn't provide any info to the user that this non-support from Palo is the problem.   Further within your decryption profile you should be able to say "don't intercept" for unsupported ciphers, but that's a joke.   I opened a case and TAC bascially said yeah it's not working.  You just have to add the sites as you come to across them to the SSL bypass.  He also said 7.X has better support, but seeing all the current issues I'm not about to migrate my entire enterprise to a version of code that has more problems than it's worth. ... View more

It's not what you want to hear probably, but I just created a spreadsheet which shows this type of info. ... View more

Going on 11 days now...Still no action in the categorization request. Geeze I sure hope no other companies user credentials have been stolen in this time. ... View more

Yes.   We do the initial "automated process" either through URL logs or direct on the site.   I can recount at least 5 times where people at my company "suggest" a site as "malware" or "phishing" only to have the canned response thanks but no thanks.   So we submit an case, which is what I did in this instance as well.  We're now going on 8 days with no resolution for the case.   This screen shot was included in the support case...How is this not an automatic action...Tip...I don't work for "swlacomps.com" they shouldn't be asking my users to put their credentials in.   ... View more

I should add, it was categorized as unkown and got categorized as "real-estate" prior to the 10th, which precipitated the support request.   We submitted the inital one as phishing, to which Palo's categorization was "real-estate." ... View more

Also, last night I was looking through our applications as my company use O365 too.  I'm not sure what part of the service you're using but we allow:   ms-office365-base outlook-web-online sharepoint-base sharepoint-online sharepoint-documents office-on-demand skydrive-base live-mesh-base SSL web-browsing ... View more